The Group Admin Role
The Group Administrator role stands apart from the other Admin roles because it allows for increased administrative control. While this role performs mainly user-related tasks (create users, deactivate users, reset passwords, etc.), it can also be used restrict these tasks to a select group or groups of Okta users. In essence, you can “delegate” permissions to a particular admin to manage a specific group.
Note: This feature only applies to groups created in Okta.
Uses for this role might be a franchise, where each location needs to silo and control their location-specific teams. Each franchise would need to create and manage their own data without affecting or being affecting by the others. Another example might be a company that owns many distinct product brands. One “umbrella” company owns them, but each brand has some homegrown and unique departments that have no relation to the other brands.
Guidance Structuring Okta Groups
Getting the most out of this role requires careful selection of Okta groups. The groups you create and choose should reflect your organization's structure or boundaries of control.
Another good practice is to grant one admin role per admin. Having said that, there are cases where customers might need to assign multiple administrator roles to a single admin. One example might be combining an App Admin role and a Group Admin role. Since the Group Admin is the only role defined by groups, adding the App admin role can expand the admins view and edit permissions without compromising security issues. For this reason, Okta supports combining admin permissions.
Admins only receive notifications about locked-out users who are in the group, or groups that the Admin manages.
Group Administrator Permissions
The Group Administrator role has a fixed set of permissions, but there are also restrictions on what this role can do.
Group Admins have the following permissions:
Group Admins have the following restrictions. They cannot
Set Up a Group Administrator
To create and configure the Group Admin role, do the following:
In the resulting dialog box, do the following
Edit an Administrator
On the Security > Administrator page, select the pencil icon to edit an administrator or the X icon to delete an administrator. If you delete an administrator, you are revoking all administrator privileges, but not deleting the individual user.
For more information, see Administrators.